The Computer Forensics Show Conference April 19-20, 2010 New York, NY Demystifying the Microsoft Extended File System (exFAT) Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, GSEC, GCFA This information is provided for your review only and is not for any distribution. Any reproduction, The Computer Forensics Show modification, distribution, transmission, display or republication of the content is strictly prohibited Agenda • • • • • • • • Why a new file system Forensics Relevance Features Advantages Timelines Support Limits Internals The Computer Forensics Show Why do we need a new file system? • • • • • • • • Current Limits Exhausted Larger volumes (>2TB) Larger files sizes (>4GB) Faster I/O (300MB/s) Removable Media Flexibility Extensibility NTFS Features without the overhead The Computer Forensics Show Relevance to Forensics Study • Digital Evidence Extraction – Finding the evidence – Including the hiding places – Validation • Daubert Expert Testimony – Need to know and understand file org • New Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations. The Computer Forensics Show What happens when you have exFAT formatted media and no exFAT support? The Computer Forensics Show Forensics Challenges • Linux OS Support • Open Source Tools • Commercial Tools – Encase – FTK • Documentation The Computer Forensics Show Disclaimer • The released specification and implementation is Release 1.00 of exFAT • The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers • Both may be presented today • Some directory entries will be skipped The Computer Forensics Show International System of Units (SI) Table • File System in powers of 2 • Device characteristics in power of 10 Shorthand Longhand Nth Bytes KiB Kibibyte 210 1024 MiB Mebibyte 220 1024 KiB GiB Gibibyte 230 1024 MiB TiB Tebibyte 240 1024 GiB PiB Pebibyte 250 1024 TiB EiB Exbibyte 260 1024 PiB ZiB Zebibyte 270 1024 EiB YiB Yobibyte 280 1024 ZiB The Computer Forensics Show Features of exFAT 1.00 • • • • • • • • • Sector sizes from 512 to 4096 bytes Clusters sizes to 32MiB Subdirectories to 256MiB Built for speed, less overhead than NTFS but has some of the NTFS features UTC Timestamp Support OEM Parameters Sector for device dependent parameters 12 sector VBR, support of larger boot program Potential capacity to 64ZiB Up to 2,796,202 files per subdirectory The Computer Forensics Show Future Features of exFAT • TexFAT (To be released later) – Exists in Windows CE – Transaction Safe exFAT • ACL (To be released later) – Exists in Windows CE • Encryption Support? – Not announced, but mentioned how easy to add The Computer Forensics Show MBR Partition Limitations • Microsoft File Systems are limited when stored in a MBR partition • A partition is defined by a Master Boot Record • A MBR uses a 4 byte value for number of sectors • To get the maximum volume size, exFAT cannot be created within a partition The Computer Forensics Show Advantages of exFAT • Handle growing capacities in media, increasing capacity to >32 GB. • > 1000 files in a single directory. • Speeds up storage allocation processes. • Breaks file size 4 GB barrier. • Supports interoperability with future desktop OSs. • Provides an extensible format. The Computer Forensics Show Key Dates for exFAT • • • • • • • • • • • September 2006 – Windows CE 6.0 March 2008 – Windows Vista Service Pack 1 January 2009 – Announcement at CES of SDXC specification January 2009 – Windows XP Drivers Available May 2009 – Windows Vista Service Pack 2 August 2009 – Tuxera Signs File System IP Agreement with Microsoft March 2009 – Pretec Releases first SDXC Cards December 2009 – Microsoft (re)announces exFAT license program for third-parties December 2009 – SDXC laptops due soon December 2009 – Diskinternals releases exFAT recovery utility December 2009 – Encase support The Computer Forensics Show More Key Dates for exFAT • • • • • • December 2009 Sony, Canon & Sanyo License January 2010 Funai License (LCD TV) February 2010 Panasonic License February 2010 Panasonic 64/48GB SDXC February 2010 Sony Memory Stick XC February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350 The Computer Forensics Show SD Card Association • • • • New Memory Card Consumer Appliances Follows SDHC Specification for 2TB Capacity The Computer Forensics Show SDXC Storage Capabilities • • • • From 32GB to 2TB on a card Exclusively exFAT File System 300 MB/s I/O Transfer Storage – 4,000 RAW images – 100 HD movies – or 60 hours of HD recording – 17,000 fine-grade photos – in a single directory The Computer Forensics Show Support for exFAT • Windows XP & Server 2003 – KB955704 • Vista & Server 2008 SP1 • Vista & Server 2008 SP2 – (Adds UTC timestamp support) • Windows 7 The Computer Forensics Show Reference Standards • Bits are numbered right to left – 76543210 • • • • • Decimal Offsets Little-Endian numbers Unsigned numbers Sectors vs. Clusters Strings not Terminated The Computer Forensics Show File System Integrity • Version Verified • 3 Checksums – VBR – UP-Case Table – File Set • Critical Directory Entries • Other Checks and Balances • File System should NOT mount if failures The Computer Forensics Show exFAT Limits • Volume size 128PiB – MS said 64ZiB – MS now says 256TiB • File Size 16 EiB (64 bit number) • • • • • • – Bigger than volume size Subdirectory 256MiB Sector 512-4096 bytes (29-212) Cluster 32MiB (225) No floppy support No FAT32 minimum cluster restriction No 8.3 file name support The Computer Forensics Show Data Hide Alert! • FAT32 max cluster 32KiB • exFAT max cluster 32MiB • Potential for massive slack space The Computer Forensics Show Volume Space Layout • The Main Boot Region – Contains main VBR • The Backup Boot Region – Contains backup VBR • The FAT Region – Contains FAT Table(s) • The Data Region (Cluster Heap) – This is where data resides The Computer Forensics Show VBR – Volume Boot Record • Contains 12 sectors – 1 sector main boot sector • Jump Code (3 bytes) • BPB (BIOS Parameter Block) • Boot Strap Code –8 –1 –1 –1 sectors main extended boot sectors sector OEM parms sector reserved sector VBR Checksum The Computer Forensics Show Boot Parameter Block (BPB) • • • • • • • • • • OEM Label “EXFAT ” Volume Length (64-bit) [sector] FAT Location & Size [sector] Heap Location & Size [sector, cluster] Volume Serial Number Location of Root Directory [cluster] Volume Flags Sector and Cluster Sizes [2-shift] Percent in use File System Revision (0x0010=1.00) The Computer Forensics Show Sectors & Clusters • A 2-Shift is a power of 2 • Sector size and sectors per cluster – Each stored in 1 byte – Theoretical maximum is 2255 – Sector Size Maximum 212 – Sectors per cluster is derived – Cluster Size Maximum is 225 The Computer Forensics Show Executable Boot Code • First 3 bytes of Main Boot Sector – Jump Code – 0xEB7690 • Offset 120 size 390 – Remainder of boot code • Offset 510 – End signature marker – 0xAA55 = “55AA” • Offset 512 – Unused if defined The Computer Forensics Show More Bootable Code • Up to 8 Main Extended Boot Sectors – FAT32 had 3 sector VBR with 1 MEBS – Entire sector can be used for boot code – Last 8 bytes of sector is marker – 0xAA550000 = “000055AA” • Larger capacity for boot virus! The Computer Forensics Show VBR Checksum Sector • • • • The 12th sector of the VBR Repeating 4 byte checksum Checksum of previous 11 sectors Flags and Percent excluded – These are volatile and change often • Boot Sector Virus & Checksum The Computer Forensics Show VBR Checksum Sector Offset 00000000 00000010 00000020 00000030 00000040 0 1 2 3 4 5 6 7 8 9 A B C D E F C9 C9 C9 C9 C9 D0 D0 D0 D0 D0 18 18 18 18 18 8B 8B 8B 8B 8B C9 C9 C9 C9 C9 D0 D0 D0 D0 D0 18 18 18 18 18 8B 8B 8B 8B 8B C9 C9 C9 C9 C9 D0 D0 D0 D0 D0 18 18 18 18 18 8B 8B 8B 8B 8B C9 C9 C9 C9 C9 D0 D0 D0 D0 D0 18 18 18 18 18 8B 8B 8B 8B 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ D0 D0 D0 D0 18 18 18 18 8B 8B 8B 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ Lines 00000050 through 01BF repeated 000001C0 000001D0 000001E0 000001F0 C9 C9 C9 C9 D0 D0 D0 D0 18 18 18 18 8B 8B 8B 8B C9 C9 C9 C9 D0 D0 D0 D0 18 18 18 18 8B 8B 8B 8B C9 C9 C9 C9 D0 D0 D0 D0 18 18 18 18 8B 8B 8B 8B C9 C9 C9 C9 The Computer Forensics Show FAT – File Allocation Table • • • • • When it is used, same as legacy FAT Not used when file contiguous Never used for cluster allocation FAT 32 has 32 bit cells, uses 28 bits exFAT has 32 bit cells, uses 32 bits • • • • Maximum clusters is 232-11 With TexFAT – 2 FAT Tables (2 Bitmaps) Addressed by pointer in VBR Size stored in VBR – There is no 64 bit FAT The Computer Forensics Show Cell Values in FAT Table • • • • • 0x00000000 – No significant meaning 0x00000001 – Not a valid cell value 0xFFFFFFF6 – Largest Value 0xFFFFFFF7 – Bad Block 0xFFFFFFF8 – Media Descriptor – Fixed Disk • 0xFFFFFFF9-0xFFFFFFFE – Not Defined • 0xFFFFFFFF – End of File (EOF) The Computer Forensics Show FAT Table Example Media Allocation Bit Map Reserved UP-Case Table Root Directory Offset 0000 0010 0020 0040 0060 0080 00A0 00C0 00E0 0100 0 1 2 3 4 5 6 7 8 F8 FF 00 00 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 9 10 11 12 13 14 15 FF 00 00 00 00 00 00 00 00 00 The Computer Forensics Show FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 Allocation Bitmap • Keeps track of cluster allocation status – Zero – Free Cluster – One – Allocated Cluster • 1 Byte = Tracking of 8 Clusters • Bit Zero – Byte Zero = Cluster 2 – Cluster 0 & Cluster 1 are not defined • Addressed by Directory Entry • With TexFAT – 2 of these (FAT Pairing) The Computer Forensics Show Data Hide Alert! • The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata • These files are static, typically won’t move, and have slack space. • Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger The Computer Forensics Show The Computer Forensics Show Directories in exFAT • Root (VBR Pointer) – Contains certain critical entries – Almost unlimited in size • Subdirectory (by File Entry) • • • • – Contains file sets – 256MiB Max size – No physical “.” or “..” entries Uses 16 Bit Unicode for strings Every Entry 32 bytes in size Entry 0x00 is end of directory Has capabilities for user entries The Computer Forensics Show Data Hide Alert! • Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system • It may also be possible to hide data within the directory metadata itself The Computer Forensics Show Entry Type Type Field Offset (Bits) Size (Bits) In Use 7 1 Category 6 1 Importance 5 1 Code 0 5 The Computer Forensics Show Entry Type • In Use: 0 – Not in Use, 1- In Use • Category: 0 – Primary, 1 – Secondary • Importance: 0 – Critical, 1 – Benign • Code: Identifies the entry The Computer Forensics Show Volume Label Directory Entry • • • • • • 0x83 or 0x03 Entry Primary Entry Only resident in Root Directory Contains the Volume Label 16 bit Unicode 0x03 means no volume label The Computer Forensics Show Volume Label Directory Entry Offset 00000000 00000010 0 1 2 3 4 5 6 7 83 0A 65 00 78 00 46 00 32 00 38 00 4B 00 00 00 8 9 A B C D E F 41 00 54 00 2D 00 31 00 00 00 00 00 00 00 00 00 ƒ.e.x.F.A.T.-.1. 2.8.K........... Type Volume Name Length (10) Volume Label (exFAT-128K) The Computer Forensics Show Allocation Bitmap Directory Entry • • • • 0x81 Entry Primary Entry Only resident in Root Directory Points to the Allocation Bitmap – If TexFAT, then 2 of these – Flag bits says which FAT/Bitmap • Cluster Address of Bitmap • Size of Bitmap The Computer Forensics Show Allocation Bitmap Directory Entry Offset 0000 0010 Type 0 1 2 3 4 5 6 7 81 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 8 9 A B C D E F 00 00 00 00 00 00 00 00 3F 00 00 00 00 00 00 00 Cluster Address (Cluster 2) The Computer Forensics Show Size (63 bytes) UP-Case Table Directory Entry • • • • • • 0x82 Entry Primary Entry Only resident in Root Directory File names are case insensitive Used to fold file name Table has a checksum (32 bits) The Computer Forensics Show UP-Case Table Directory Entry Offset 0000 0010 Type 0 1 2 3 4 5 6 7 82 00 00 00 0D D3 19 E6 00 00 00 00 03 00 00 00 8 9 A B C D E F 00 00 00 00 00 00 00 00 CC 16 00 00 00 00 00 00 Cluster Address (3) Table Checksum Length (0x16CC = 5,836) The Computer Forensics Show File Directory Entry Set • • • • Used to define a file May have 3 to 19 entries, or more 1 Primary, many Secondary Is considered an array – Must be in order – Must be contiguous (no gaps) • Entire Set has Checksum The Computer Forensics Show File Directory Entry • 0x85 or 0x05 Entry • Primary Entry • Set Checksum (16 bits) – Not modified on file delete • Secondary Count – # Secondary entries that follow • File Attributes • Timestamps The Computer Forensics Show Timestamps & Time Zones • 3 Timestamps (MAC) • 32 bit DOS Date/Time – Local Machine Time • 10ms Offset (MC) • TZ Offset (MAC) – 15 minute increments – 7 bit signed number – ±16 hours – Present with UTC support The Computer Forensics Show Timestamp Accuracy • • • • • FAT32 – Last Access – Date only exFAT – Last Access – Date/Time All DOS DATE/TIME Double Seconds 10ms adds 0-1990 ms to time 10ms only for Create/Modify The Computer Forensics Show Timestamp Reliability • Timestamps appear to be updated when the file is created or modified. • Last Accessed Timestamp appear to be updated when file is created or modified. • Last Accessed Timestamp appear NOT modified on file read. • Forensics Implication on MAC time analysis The Computer Forensics Show File Attributes Attribute Reserved2 Archive Directory Reserved1 Offset 6 5 4 3 Size 10 1 1 1 Mask System Hidden Read-Only 2 1 0 1 1 1 0x04 0x02 0x01 The Computer Forensics Show 0x20 0x10 File Directory Entry Type # Secondary Entries Set Checksum (0x92D4) Attributes (0x0020 = Archive) Offset 0000 0010 0 1 2 3 4 5 6 7 85 04 D4 92 20 00 00 00 44 62 86 3B A8 00 EC EC Accessed 8 9 A B C D E F 44 62 86 3B F1 62 BA 3A EC 00 00 00 00 00 00 00 Modified Modified 10ms Create 10ms Create TZ Offset CMA EC = GMT-5 The Computer Forensics Show Formatted File Directory Entry Root Entry Type Read is: Checksum: Calculated Checksum is: Secondary Count File Attributes: Create Timestamp: Last Modified Timestamp: Last Accessed Timestamp: 10 ms Offset Create 10 ms Offset Modified Time Zone Create Time Zone Modified Time Zone Last Accessed 85 Directory Entry Record 92D4 92D4 Size Directory Set (bytes): 160 004 0020 Archive 3B866244 12/06/2009 12:18:08 3ABA62F1 05/26/2009 12:23:34 3B866244 12/06/2009 12:18:08 A8 168 00 0 EC 236 Value of tz is: GMT -05:00 EC 236 Value of tz is: GMT -05:00 EC 236 Value of tz is: GMT -05:00 The Computer Forensics Show Stream Extension Directory Entry • • • • • • • 0xC0 or 0x40 Entry Secondary Entry Length of Name Length of File (2 of them) Cluster address of first data block Name Search Hash value Secondary Flag – FAT Invalid – Allocation Possible The Computer Forensics Show Stream Extension Directory Entry Flags (Alloc Possible/Fat Invalid) Entry Length of File Name (0x28= 40) Name Hash (0x3CAD) Offset 0000 0010 0 1 2 3 4 5 6 7 C0 03 00 28 AD 3C 00 00 00 00 00 00 05 00 00 00 8 9 A B C D E F 1F 46 1D 01 00 00 00 00 1F 46 1D 01 00 00 00 00 Cluster (5) Data Length 0x011d461f = 18,695,711 The Computer Forensics Show Parameters for Samples Bytes Per Sector: 2 to the 09 power is: 512 Sectors Per Cluster: 2 to the 08 power is: 256 Bytes per Cluster: 131072 (128K) The Computer Forensics Show Formatted Stream Extension Root Entry Type Read is: C0 Directory Entry Record, Stream Extension Secondary Flags: 03 Flag Bit 0: Allocation Possible Flag Bit 1: FAT Chain Invalid Length of UniCode Filename is: 40 Name Hash Value is: AD3C Stream Extension First Cluster 5 Cluster 5 is Allocated Stream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 The Computer Forensics Show File Name Extension Directory Entry • 0xC1 or 0x41 Entry • Secondary Entry • Secondary Flags – Allocation not possible – FAT Invalid • • • • 15 Characters (30 bytes) of Name Name in 16 Bit Unicode In order (FAT32 LFN was reversed) Up to 17 max, total 255 character The Computer Forensics Show File Name Extension Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C1 00 62 00 75 00 73 00 Á.b.u.s.i.n.e.s. 0010 73 00 5F 00 6F 00 66 00 s._.o.f._.s.e.c. 69 00 6E 00 65 00 73 00 0000 C1 00 75 00 72 00 69 00 Á.u.r.i.t.y._._. 0010 62 00 75 00 73 00 2D 00 b.u.s.-.1.0.5.-. 74 00 79 00 5F 00 5F 00 0000 C1 00 33 00 32 00 6B 00 Á.3.2.k.b.p.s... 0010 6D 00 70 00 33 00 00 00 m.p.3........... 62 00 70 00 73 00 2E 00 5F 00 73 00 65 00 63 00 31 00 30 00 35 00 2D 00 00 00 00 00 00 00 00 00 File Name = business_of_security__bus-105-32kbps.mp3 The Computer Forensics Show Significance of “not in use” flag • 0x05, 0x40 & 0x41 Entries – “Not in use” may mean deleted files – May also be reallocated rename • Set Checksum not changed when entries marked “not in use” The Computer Forensics Show Summary • exFAT is a new generation of the FAT family of Microsoft File Systems • The need for forensics tools will heat up in 2010 • We don’t have the right tools yet • Documentation and support for exFAT is scarce The Computer Forensics Show Q&A The Computer Forensics Show Contact Information • E-mail: rshullic@earthlink.net • Blog: rshullic.wordpress.com • Blog: shullich.blogspot.com The Computer Forensics Show References Sans Reading Room: http://www.sans.org/reading_room/whitepapers/fo rensics/rss/reverse_engineering_the_microsoft_e xfat_file_system_33274 Microsoft Patent: Microsoft Patent 0164440 (June 25, 2009). Quick Filename Lookup Using Name Hash. Pub No. US 2009/0164440 A1 Retrieved December 10, 2009 from http://www.pat2pdf.org/patents/pat20090164440. pdf The Computer Forensics Show